File Investigation Report
PATCH.EXESystem Back Door
Your PC may be infected. The presence of a file called PATCH.EXE is a possible sign of infection.
You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including PATCH.EXE. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- System Back Door
- Cloaked Malware
File Behavior
PATCH.EXE has been seen to perform the following behavior:
- This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Registers a Dynamic Link Library File
- This Process Creates Other Processes On Disk
- The Process is packed and/or encrypted using a software packing process
- Executes a Process
- Creates system tray popups, messages, errors and security warnings
- Adds a Registry Key (DXCOM) to auto start Programs on system start up
- Disables the built in Windows File Protection System
- This Process Deletes Other Processes From Disk
- Writes to another Process's Virtual Memory (Process Hijacking)
- Opens browser pop ups
- Uses DNS to retrieve the IP address for web sites
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- Violates Windows/Vista Physical Memory Protection allowing it to look inside the data areas of other programs
- Can communicate with other computer systems using HTTP protocols
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Visits web sites on your PC without you knowing
PATCH.EXE has been the subject of the following behavior:
- Created as a process on disk
- Copied to multiple locations on the system
- Executed as a Process
- Registered as a Dynamic Link Library File
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
- Deleted as a process from disk
- Executed from Temporary Folders
- Added as a Registry auto start to load Program on Boot up
- Added as a Registry Key (DXCOM) to auto start Programs on system start up
- Created as a new Background Service on the machine
- This program is often downloaded from the web
Country Of Origin
The filename PATCH.EXE was first seen on May 8 2007 in the following geographical regions of the Prevx community:
- The UNITED KINGDOM on May 8 2007
- SPAIN on May 8 2007
- ITALY on Dec 7 2007
- ARGENTINA on Jan 8 2008
- The UNITED STATES on May 21 2008
File Name Aliases
PATCH.EXE can also use the following file names:
- 13313.EX$
- TRUE'S.CRACK.EXE
- 14382262.EXE
- 26323608.EXE
- SPYWARE.DOCTOR.V5.5.0.278_PATCH.EXE
- GHYLFBLE.EXE
- 38967446.E
- ALL.XILISOFT-RES-PATCH.EXE
- 97657122.EXE
- 88526663.EXE
- 01544588.EXE
- 51313808.SVD
- 11613504.EXE
- FY[1].EXE
- _REJOICE082.EXE
- REJOICE082.EXE
- FY[2].EXE
- 83705206.DAT
Filesizes
The following file size has been seen:
- 494,592 bytes
- 234,496 bytes
- 18,608 bytes
- 99,840 bytes
- 62,976 bytes
- 395,006 bytes
- 649,471 bytes
- 865,540 bytes
Vendor, Product and Version Information
Files with the name PATCH.EXE have been seen to have the following Vendor, Product and Version Information in the file header:
- 张湘平; 注册器; 2.00
File Type
The filename PATCH.EXE refers to many versions of an executable program.
File Activity
One or more files with the name PATCH.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\KeyHook.dll